b'March 31, 2010\n\nROSS PHILO\nEXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER\n\nVINCENT DEVITO\nVICE PRESIDENT, CONTROLLER\n\nDEBORAH J. JUDY\nDIRECTOR, INFORMATION TECHNOLOGY OPERATIONS\n\nSUBJECT: Audit Report \xe2\x80\x93 Fiscal Year 2009 Information Systems General\n         Computer Controls Capping Report (Report Number IS-AR-10-005)\n\nThis report summarizes the results of our audit of information systems general\ncontrols at the                                                   Information\nTechnology and Accounting Service Centers (IT/ASC) and the\nInformation Technology Service Center (ITSC) for fiscal year (FY) 2009 (Project\nNumber 09RD001IS000). The objectives of the audit were to determine whether\ngeneral controls for selected applications, data, and computer infrastructure at\nthe IT centers provided reasonable assurance that computer-processed data\nwere complete, validated for accuracy, and secure; and business practices\ncomplied with U.S. Postal Service policies, procedures, and standards. We\nperformed this self-initiated audit as part of the FY 2009 financial statements\naudit. See Appendix A for additional information about this audit.\n\nConclusion\n\nGeneral computer controls for selected applications, data, and the computer\ninfrastructure at the information data centers provided reasonable assurance that\ncomputer-processed data were complete, validated for accuracy, and secure.\nHowever, we identified Information Technology (IT) control issues that do not,\nalone or collectively, represent a significant risk to reliance on general computer\ncontrols. We issued five interim audit reports during our FY 2009 audit to assist\nmanagement in improving information technology operations. See Appendix B for\nsummaries of the audit reports we issued. This report does not contain\nrecommendations; however, four of the interim audit reports provided\nrecommendations to address issues identified during our audit.\n\x0cFiscal Year 2009 Information Systems                                         IS-AR-10-005\n General Computer Controls Capping Report\n\n\n\nThe issues were in the areas of:\n\n    \xef\x82\xa7   Physical security related to semiannual building key surveys and reviews\n        of identification (ID) badge access control lists.\n\n    \xef\x82\xa7   UNIX access controls related to\n                                    .\n\n    \xef\x82\xa7   Network access controls related\n\n\n\n    \xef\x82\xa7   Windows\xc2\xae access controls related to\n                                     not in compliance with the Windows\n        security standards.\n\nWhile conducting the audit, we identified several additional issues that required\nmanagement\xe2\x80\x99s attention. Management took action to correct each of the issues\nduring the audit; therefore, we did not make recommendations to address them.\n\n    \xef\x82\xa7   Repairing a            facility door that separates processing and\n        distribution center personnel from the IT/ASC.\n\n    \xef\x82\xa7   Resolving UNIX issues to:\n\n           \x00   Disable\n           \x00   Add a missing account and missing group.\n           \x00   Remove privileged files from a shared directory.\n           \x00   Remove an unlocked unnecessary account.\n           \x00   Restrict           to the system console.\n           \x00   Disable                       .\n           \x00   Restrict access to                                      .\n           \x00   Limit access to\n                                                          1\n           \x00   Set appropriate security mode on                 .\n           \x00   Correct a primary group ID shared by multiple accounts.\n\n    \xef\x82\xa7   Modifying Oracle\xc2\xae issues for appropriate application and user profile\n        settings.\n\n\n\n\n1\n\n\n\n\n                                            2\n\x0cFiscal Year 2009 Information Systems                                                 IS-AR-10-005\n General Computer Controls Capping Report\n\n\nWe summarized the status of FY 2009 and previous years\xe2\x80\x99 recommendations in\nAppendix C.2 See Table 1 in Appendix C for a list of open recommendations and\nTable 2 for a list of recommendations that were closed.\n\nThis report does not contain any findings or recommendations. Management\nconcurred with the facts presented in the report. See Appendix D for\nmanagement\xe2\x80\x99s comments, in their entirety.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have\nquestions or need additional information, please contact Frances E. Cain,\ndirector, Information Technology, or me at 703-248-2100.\n\n      E-Signed by Darrell E. Benjamin, Jr\n      VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Charles L. McGann\n    Joseph J. Gabris\n    Gregory D. Larrabee\n    Sally K. Haring\n\n\n\n\n2\n    The recommendations in Appendix C refer to audits of IS general controls only.\n\n\n                                                       3\n\x0cFiscal Year 2009 Information Systems                                                             IS-AR-10-005\n General Computer Controls Capping Report\n\n\n                        APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\n                                        IT/ASCs provide computer processing and\naccounting services for the Postal Service.               ITSC provides\ninfrastructure services3 for over 38,000 Postal Service locations. Each site\nincludes multiple service organizations.\n\n                                     IT/ASCs house three parallel service areas:\n\n    \xef\x82\xa7 Host Computing Services (HCS)\n    \xef\x82\xa7 Integrated Business Systems Solutions Center (IBSSC)\n    \xef\x82\xa7 Accounting Service Center\n\n                  IT/ASC has a similar structure but without a HCS area.\n\nHCS deploys, operates, and supports systems and applications for all business\nunits within the Postal Service. The IBSSCs perform application development,\nenhancement, and maintenance of systems that enable the Postal Service to\nachieve its business objectives. The ASCs are responsible for a variety of\naccounting and finance activities. These activities include accounts payable,\nbanking, and reconciliation issues; domestic and international claims; money\norders; daily financial reporting; and payroll and benefits adjustments. All IT-\nrelated service centers report to the executive vice president, chief information\nofficer. The ASCs report to the vice president, controller.\n\nTo facilitate the delivery of mail worldwide, the IT organization:\n\n    \xef\x82\xa7    Maintains the Postal Service\xe2\x80\x99s computing infrastructure.\n    \xef\x82\xa7    Manages the corporate-wide intranet.\n    \xef\x82\xa7    Runs the systems that connect processing centers and 38,000 post offices\n         nationwide.\n    \xef\x82\xa7    Controls the technology supporting 650 applications for day-to-day Postal\n         Service business, including payroll for approximately 700,000 career\n         employees.\n    \xef\x82\xa7    Determines the strategic direction for the agency\xe2\x80\x99s information technology.\n    \xef\x82\xa7    Employs over 1,000 IT employees across the continental U.S.\n\n\n\n\n3\n Infrastructure services are IT functions that support the overall Postal Service enterprise and include such\nareas as telecommunications, distributed computing, and IT help desk.\n\n\n                                                      4\n\x0cFiscal Year 2009 Information Systems                                                        IS-AR-10-005\n General Computer Controls Capping Report\n\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of the audit were to determine whether general controls for\nselected applications, data, and computer infrastructure at the IT centers\nprovided reasonable assurance that computer-processed data were complete,\nvalidated for accuracy, and secure; and business practices complied with Postal\nService policies, procedures, and standards.\n\nThe scope of our audit at the                               IT/ASCs and the\n       ITSC included reviews of the following systems and control areas:\n\n    \xef\x82\xa7 Security management.\n    \xef\x82\xa7 Access controls.\n    \xef\x82\xa7 Configurati on management.\n    \xef\x82\xa7 Segregation of duties.\n    \xef\x82\xa7 Follow-up on prior years\xe2\x80\x99 recommendations.\n\nIn addition, we tested the above controls as they relate to the operating systems\nand database platforms for the following applications:\n\n\n\n\nTo address the audit objectives, we reviewed:\n\n    \xef\x82\xa7   Password management practices for compliance with Postal Service\n        standards and password settings, including expiration intervals and\n        password complexity for normal and privileged accounts.\n\n    \xef\x82\xa7 Mainframe and mid-range4 user access to commands and data to\n       determine consistency with policies and procedures.\n\n    \xef\x82\xa7   Mainframe and mid-range logon IDs to ensure the IDs were properly\n        managed and employees had access to appropriate Postal Service data\n        and resources.\n\n    \xef\x82\xa7   System controls by downloading and reviewing the appropriate settings\n        and configuration files (in some cases performing live tests to ensure that\n\n4\n In general, mid-range refers to computers that are more powerful and capable than personal computers\nbut less powerful and capable than mainframe computers.\n\n\n                                                   5\n\x0cFiscal Year 2009 Information Systems                                                        IS-AR-10-005\n General Computer Controls Capping Report\n\n\n        system controls were effective), interviewing IT personnel, and reviewing\n        vendor documentation.\n\n    \xef\x82\xa7   Documentation that authorizes access to Postal Service systems and data\n        to verify adequate protection of Postal Service resources.\n\n    \xef\x82\xa7   Critical mainframe operating system and system software datasets stored\n        on the mainframe and secured by\n\n                                      and security parameters to ensure the\n        central security system validates user access.\n\n    \xef\x82\xa7   Physical security procedures and practices to verify that physical access\n        controls were in place to protect Postal Service resources.\n\n    \xef\x82\xa7   Information system policies and procedures to validate they were\n        implemented, updated, and followed.\n\n    \xef\x82\xa7 System configuration reports and observed back-up tape handling\n       procedures to verify management backed up critical production files and\n       servers.\n\n    \xef\x82\xa7   Badge access system and key control procedures at each IT/ASC to\n        ensure managers reviewed badge and key access lists and validated and\n        documented the processes.\n\nTo supplement the general computer controls audit, our Vulnerability\nAssessment Team conducted tests of selected servers and databases that\nsupport the                application.6 These tests provided management with an\nevaluation of the quality of security for servers where the selected applications\nreside.\n\nWe interviewed personnel at the various IT/ASCs to obtain relevant information\nand to corroborate our analyses. We also collected and analyzed documentation\non policies and procedures at these locations as they pertained to the specific\nareas we reviewed. We judgmentally selected applications for review based on\nfinancial significance, sensitivity, elapsed time since the last review, and the\nplatforms on which they reside. For example, to facilitate our UNIX testing, we\nselected finance-related applications residing on UNIX servers.\n\nWe used batch and online report tools to extract and display detailed information\nfrom the mainframe, such as user access authorizations, security resource rules\ngoverning access to application data sets, and system parameter settings. We\n5\n  The software security tool the Postal Service uses to enforce security policies and procedures in a\nmainframe environment.\n6\n  Database and Network Access Controls at the Information Technology and Accounting Service Centers\n(Report Number IS-AR-10-001, dated December 14, 2009).\n\n\n                                                   6\n\x0cFiscal Year 2009 Information Systems                                     IS-AR-10-005\n General Computer Controls Capping Report\n\n\nused manual and automated techniques to analyze computer-processed data.\nBased on those tests and assessments, we concluded these data were\nsufficiently reliable to meet the audit objectives. We performed all system queries\nin a controlled environment with management\xe2\x80\x99s full knowledge and approval.\n\nWe conducted this performance audit from October 2008 through March 2010, in\naccordance with generally accepted government auditing standards and included\nsuch tests of internal controls as we considered necessary under the\ncircumstances. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives. We discussed our observations and conclusions\nwith management officials throughout the audit and again on February 24, 2010,\nand included their comments where appropriate. We used data from various\nmainframe and distributed systems and financial applications in the course of\nconducting our audit. We performed limited testing of this information as part of\nour review.\n\n\n\n\n                                            7\n\x0c       Fiscal Year 2009 Information Systems                                           IS-AR-10-005\n        General Computer Controls Capping Report\n\n\n\n       PRIOR AUDIT COVERAGE\n\n                          Report            Final Report\n   Report Title           Number                Date Report                        Results\nFiscal Year 2008        IS-AR-09-005        March 19, 2009    Overall, general computer controls were in\nInformation Systems                                           place and working effectively. However,\nGeneral Controls                                              additional controls and actions were needed\nCapping Report                                                in the areas\n\n\n\n\n                                                                             The report contained no\n                                                              recommendations.\nFiscal Year 2007        IS-AR-08-007        March 11. 2008    Overall, general computer controls were in\nInformation Systems                                           place and working effectively. However,\nGeneral Controls                                              additional controls and actions were needed\nCapping Report                                                in the areas of\n\n\n\n                                                                                           The report\n                                                              contained no recommendations.\nFiscal Year 2006        IS-AR-07-009 February      26, 2007   Overall, general computer controls were in\nInformation                                                   place and working effectively. However,\nSystems General                                               additional controls and actions were needed\nControls                                                      in the areas of access to\nCapping Report\n\n\n\n                                                                           he report contained no\n                                                              recommendations.\n\n\n\n\n                                                   8\n\x0cFiscal Year 2009 Information Systems                                     IS-AR-10-005\n General Computer Controls Capping Report\n\n\n                APPENDIX B: SUMMARY OF REPORTS ISSUED\n\nPhysical Access Controls at the Information Technology and Accounting\nService Centers (Report Number IS-AR-09-008, dated July 28, 2009).\n\nThis report presented the results of our audit of physical access controls at the\nPostal Service\xe2\x80\x99s IT/ASCs                                                The\nobjective of this audit was to determine whether the Postal Service established\nadequate controls to restrict physical access to information resources at the\nIT/ASCs. We determined that the Postal Service established adequate controls\nto restrict physical access to information resources at the IT/ASCs. However, we\nidentified an opportunity to improve compliance with Postal Service policies.\nSpecifically, management could further minimize the risk of unauthorized\nmodification, loss or disclosure of Postal Service information resources by\nconducting a semiannual survey of all building keys at the IT/ASCs and\nperiodically reviewing the              IT/ASC ID badge access control list.\n\nWe provided recommendations to (1) develop a procedure to track and schedule\nkey inventory surveys at the                         IT/ASCs; (2) conduct a\nsurvey of all building keys at the        IT/ASC; (3) develop a procedure to\ntrack and schedule key inventories at the           IT/ASC; and (4) develop a\nprocedure to track and schedule quarterly ID badge access reviews at the\n       IT/ASC. In addition, when brought to their attention, management initiated\naction to correct three security issues.\n\nUNIX Access Controls at the Information Technology and Accounting\nService Centers (Report Number IS-AR-09-010, dated August 10, 2009).\n\nThe report presented the results of our audit of logical access controls of UNIX\ninformation resources                                                          .\nThe objective of this audit was to determine whether management established\nadequate logical controls to limit or detect inappropriate access to its UNIX\ninformation resources. We determined that management established adequate\nlogical access controls to limit or detect inappropriate access to UNIX information\nresources. However, we found the Postal Service can further improve logical\naccess controls\n\n\n\n\nWe provided recommendations to\n\n\n\n\n                                            9\n\x0cFiscal Year 2009 Information Systems                                                          IS-AR-10-005\n General Computer Controls Capping Report\n\n\n\n\nManagement took corrective action to initiate ten access control issues we\nidentified during the audit. These access control issues did not, alone or\ncollectively, represent a significant risk to reliance on general computer controls.\nTherefore, we did not make a recommendation regarding these specific issues.\n\nDatabase and Network Access Controls at the Information Technology and\nAccounting Service Centers (Report Number IS-AR-10-001, dated\nDecember 14, 2009).\n\nThe report presented the results of our audit of database and network access\ncontrols at the                        IT/ASCs and the          ITSC. The\nobjective of this audit was to determine whether the Postal Service adequately\ncontrols logical access to its database and network information resources to\nprotect these resources against unauthorized (accidental or intentional)\nmodification, loss, damage or disclosure. We determined that database and\nnetwork logical access controls were generally in place and functioning properly.\nHowever, management can improve\n                           Management corrected these issues during the course\nof our review, therefore, we did not make a recommendation regarding this issue.\nFurther, management can improve network access controls by improving the\nmanagement and monitoring of\n\n\n\nWe provided recommendations to (1) develop a process to review and identify\nappropriate network devices at the                       IT/ASCs to include in\nthe network management software; (2) periodically review and update the\n\n         are categorized appropriately; (3)\n                                                                           to ensure\ncompliance with applicable hardening standards and adopt industry practices as\nappropriate; (4) develop procedures to ensure standardized and complete\nnetwork diagrams are produced; (5) develop a procedure to provide continuous\nmaintenance and monitoring of\n       7\n                                     and (6) incorporate a test of controls\n                                                                 to validate the\nencryption of sensitive information.\n\n\n\n\n7\n  A remote authentication protocol used to communicate with an authentication server.          allows a\nremote access server to communicate with an authentication server to determine if the user has access to\nthe network.\n\n\n                                                    10\n\x0cFiscal Year 2009 Information Systems                                                          IS-AR-10-005\n General Computer Controls Capping Report\n\n\nMainframe Access Controls at the Information Technology and Accounting\nService Centers (Report Number IS-AR-10-003, dated December 29, 2009).\n\nThe report presented the results of our audit of the mainframe access controls at\nthe                         IT/ASCs. The objective of this audit was to determine\nwhether the Postal Service established adequate logical controls to limit or detect\ninappropriate access to its mainframe operating environment. We determined\nthat the Postal Service established adequate logical controls to limit or detect\n                                           8\ninappropriate access to its mainframe\n                                                         10\n\n                                           This report did not contain any findings or\nrecommendations.\n\nWindows Access Controls at the Information Technology and Accounting\nService Centers (Report Number IS-AR-10-006, dated March 24, 2010).\n\nThe report presented the results of our audit of Windows access controls at the\n                        IT/ASCs and the           ITSC. Our objective was to\ndetermine whether the Postal Service established adequate logical controls to\nlimit or detect inappropriate access to its Windows operating environment. We\ndetermined that the Postal Service established adequate logical controls to limit\nor detect inappropriate access to its Windows operating system\n                                                                              .\nHowever,\n\n\nWe provided recommendations to (1) revise security standards for\n             to clearly define system administrator responsibilities for\n                                        on a regular basis; (2) review the\nWindows security standards and update them as appropriate; and (3) perform a\ncomprehensive review of the                                   to ensure\ncompliance with applicable Windows security standards.\n\n\n\n\n8\n9\n System software is a set of programs designed to operate and control computer processing activities.\nExamples of system software include system utilities, program library systems, and file management\nsoftware.\n10\n\n\n\n\n                                                    11\n\x0cFiscal Year 2009 Information Systems                                                                                   IS-AR-10-005\n General Computer Controls Capping Report\n\n\n                       APPENDIX C: ACTION ON PRIOR YEAR RECOMMENDATIONS\n\n                                        Table 1: Open Recommendations\n\n                   Rec. Number                                                   Responsible Organizations\nReport Number                               Description\n                   Significant (S)                                11   12   13        14\n                                                                                           R   15        16       17\n\n                                     Assess the risk to all\n              18                     IT/ASC positions for the\nIS-AR-07-017             1(S)                                     X                                  X        X             X\n                                     purpose of assigning\n                                     them as sensitive.\n                                     Require a periodic\n                                     reassessment of the risk\n                           2         of sensitive positions to    X                                  X        X             X\n                                     determine if they should\n                                     retain the designation.\n                                     Establish a central\n                                     location to maintain an\n                                     official list of sensitive\n                           3                                      X                                  X        X             X\n                                     positions by occupation\n                                     code, title, and job\n                                     description.\n\n\n\n\n     11\n     12\n     13\n     14\n     15\n     16\n     17\n     18\n        Separation of Duties                                                                                                          , dated\n     August 29, 2007.\n                                                                       12\n\x0cFiscal Year 2009 Information Systems                                                                                  IS-AR-10-005\n General Computer Controls Capping Report\n\n\n                 Rec. Number                                                    Responsible Organizations\nReport Number                             Description\n                 Significant (S)                                 11   12   13        14      15         16       17\n\n                                   Notify the Postal\n                                   Inspection Service when\n                                   management creates a\n                                   new IT/ASC position,\n                                   hires a new employee, or\n        4(S)                       promotes an employee to       X                                  X        X             X\n                                   a new position to make\n                                   certain management\n                                   attributes the proper\n                                   clearance level to the\n                                   employee.\n                                   Amend the Administrative\n                                   Support Manual, Issue\n                                   13, Chapter 2, Section\n                                   272 (Security Clearance),\n                                   to:\n                                   \xef\x82\xa7 Designate the chief\n                                        postal inspector as\n                                        responsible for\n                                        defining the criteria\n                        5                                                                           X\n                                        for identifying\n                                        sensitive positions.\n                                   \xef\x82\xa7 Specify the criteria for\n                                        designating a position\n                                        as sensitive.\n                                   \xef\x82\xa7 Update the list of\n                                        position types\n                                        requiring a sensitive\n                                        clearance.\n\n\n\n\n                                                                      13\n\x0cFiscal Year 2009 Information Systems                                                                                                  IS-AR-10-005\n General Computer Controls Capping Report\n\n\n                  Rec. Number                                                                   Responsible Organizations\nReport Number                               Description\n                  Significant (S)                                     11          12       13        14      15         16       17\n\n                                     Develop an automated\n                                     procedure to identify and\n                                     remove user accounts of\nIS-AR-08-01519                       terminated and\n                         1                                           X        X        X\n                                     transferred employees\n                                     who no longer need\n                                     access from UNIX\n                                     groups.\n                                     Perform risk\n                                     reassessments on the six\nIS-AR-09-00220           3                                           X\n                                     applications reviewed\n                                     during this audit.\n\n\n\n\n     19\n       Access Controls\n                dated August 15, 2008.\n       Security Policies and Procedures (Corporate-Wide) at the Information Technology and Accounting Service Centers for Fiscal Year 2008, dated November 13,\n     2008.\n                                                                                  14\n\x0c     Fiscal Year 2009 Information Systems                                                                              IS-AR-10-005\n      General Computer Controls Capping Report\n\n\n                                                      Table 2: Closed Recommendations\n\n                            Recommendation                                         Responsible Organizations\n      Report Number\n                                Number                    \x03\x03\x03\x03\x03\x03\x03\x03                                                    \x03\x03\x03\x03\x03\n                                 1(S)\n                                 2(S)\n       IS-AR-08-00921                                 X              X                                            X\n                                 3(S)\n                                  4\n                                 1(S)\n       IS-AR-08-01122             2                   X              X         X\n                                  3\n                                 1(S)\n                                  2\n       IS-AR-08-01323                                 X \x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03X \x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03X \x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03X \x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03X\n                                  3\n                                  4\n        IS-AR-08-015 2                                X              X         X\n                                      1\n        IS-AR-09-002                                  X                                                       X\n                                      4\n                                      1\n       IS-AR-09-00324                 3               X                        X\n                                      4\n\n\n\n\n21\n   Update Processes for Active Directory and CA-ACF2, dated March 14, 2008.\n22\n   System Software Controls at the                                              Information Technology and Accounting Service Centers for Fiscal Year 2008,\ndated June 3, 2008.\n23\n   Protection of Sensitive Equipment at Selected Postal Service Information Technology Facilities, dated July 9, 2008.\n24\n   Service Continuity at the Information Technology and Accounting Service Centers for Fiscal Year 2008, dated January 20, 2009.\n                                                                               15\n\x0cFiscal Year 2009 Information Systems                          IS-AR-10-005\n General Computer Controls Capping Report\n\n\n                          APPENDIX D: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                            16\n\x0c'